I have the following result from Splunk Query using appCols because same logs always has different events with different message
message1 or message2 just a name..
Message Count1 Message2 count2
hello 5 hi 10
Output i am looking is :
Message count --< Header Fields>
hello 5
hi 10
Instead of appendcols, you should use just append. Also, remember to rename the fields in 2nd search (Message2 and count2) same as first search.
search 1 | table Message Count
| append [search 2 | table Message2 Count2 | rename Message2 as Message Count2 as Count ]
See this to know difference between append and appendcols.
https://answers.splunk.com/answers/144351/what-are-the-differences-between-append-appendpipe.html
it is same index. but i have to extract different fields each time from events.. since the events returns has different message
i using transport i didnt work ..
Thanks it did work.
Glad it's working for you. If it's same index, you probably don't need a subsearch. If you could share you search, we can look at it to see if both searches can be merged into one for better performance.
Here is the Splunk Query..
index=index1 sourcetype=index1_log | rex field=_raw "(?exception\s\w+\s\w+)" |stats count by Message| table Message count | append
[search index=index2 sourcetype=index2_log | rex field=_raw "(?message\s\w+\s\w+)" |stats count as count1 by message| table message count1 |rename message as Message count1 as count] | rename count as "Hit Count"
Give this a try
(index=index1 sourcetype=index1_log) OR (index=index2 sourcetype=index2_log)
| rex field=_raw "(?<Message>(exception|message)\s\w+\s\w+)"
|stats count as "Hit Count" by Message
let me tried it..thanks
When adding timechart span=3h count usenull=f useother=f into both indexes getting error :- please rename count columns.
YOu're getting that in same query?